1. Home
  2. Docs
  3. SecureAccess AWS
  4. Provisioning Celestix SecureAccess

Provisioning Celestix SecureAccess

To provision a Celestix SecureAccess server

  1. Navigate to the EC2 dashboard.
  2. Click Launch Instance button on the middle pane.
  3. In the “Step 1: Choose an Amazon Machine Image” wizard, under Quick Start select AWS Marketplace.
  4. In the “Search AWS Marketplace Products” search box enter “Celestix SecureAccess” and press Enter key and choose Select.
  5. Verify the product information and choose Continue.
  6. In the “Step 2: Choose an Instance Type” wizard, select the appropriate instance configuration that corresponds to Celestix licence and choose “Next: Configure Instance Details”.
  7. In “Step 3: Configure Instance Details” wizard, choose the VPC created in section Allocate Elastic IP Address as Network, choose the public subnet for Subnet.
  8. In the Network Interfaces configuration, set the primary IP to an IP address in the range of public subnet addresses. Choose “Next: Add Storage”.
  9. In “Step 4: Add Storage”, modify the Size or Volume Type if required. Note that this will incur charges. Choose “Next: Add Tags”.
  10. In “Step 4: Add Tags”, you can create tags to identify resources based on their purpose. For example, you can create a tag with key=Purpose and Value=Testing to identify that this instance is for testing. Choose “Next: Configure Security Group”.
  11. In “Step 5: Configure Security Group”, select security group created in section 2.2. A security group is a set of firewall rules that control the traffic for your instance. If you are creating a new security group, enter an appropriate name and description so that it can be identified when viewed in the instance details – e.g. [Security group name: SecureAccess] [Description: Allow access to ports 3389 and 443 from anywhere]. A rule for RDP access is added by default when the instance is launched.
  12. Choose Add Rule. Under Type, select HTTPS. In the Source column, leave the default settings as [Custom,::/0]. You can modify the Source column of the RDP rule to allow access from specific IP addresses using the Custom or My IP options.
  13. Choose Review and Launch. In “Step 7: Review Instance Launch”, review the instance launch details and Choose Launch.
  14. In the “Select an existing key pair or create a new key pair” wizard, enter a name for the key pair and choose Download Key Pair. Store the key in a secure and accessible location. Without this key you cannot connect to the instance. You will be prompted for this key when you access the instance until the password is set during SecureAccess configuration.
  15. Go to the Instances view and check the instance details. In the Name column set a name to the instance e.g. SecureAccess Server. This will be useful to identify the instance.
  16. Choose Actions menu and select Networking -> Change Source/Dest. Check and then choose Yes, Disable.
  17. Go to Elastic IPs. Select the IP address allocated in section Create a Virtual Private Cloud (VPC). Under Actions choose Associate Address. Leave the Resource type as Instance. For Instance, select the SecureAccess server instance. For Private IP choose the IP address set in step 8 of Provisioning Celestix SecureAccess. Choose Associate and then Close. Verify the association.
  18. To check whether the instance is ready to configure select the instance. In the Status Checks column check whether “2/2 checks passed”. Choose Actions menu and choose Instance Settings -> Instance Screenshot. A locked screen denotes that the SecureAccess server is ready for configuration.

Configure Routing Tables for SecureAccess

This configuration is required only if you plan to use a static address pool for VPN address assignment configured in step 6 of SecureAccess Setup Wizard.

  1. Navigate to the VPC dashboard.
  2. In the navigation pane choose Subnets.
  3. Choose the private subnet.
  4. Choose the Routing Table tab.
  5. Choose the routing table name (displayed as a hyper link)
  6. Select the Route Table ID and choose Routes tab.
  7. Choose Edit and then choose Add another route.
  8. For Destination, enter the network IP that identifies the pool of addresses that will be assigned to the VPN clients. The range of IPs that you specify during the SecureAccess Server configuration should belong to this network. For Target, specify the SecureAccess server instance and choose Save.
  9. If you have resources in the Private subnet of VPC then you need to create inbound rules allowing access from this address pool. Otherwise the SecureAccess clients cannot access these resources. Refer to section Creating a Security Group for more details.

Configure SecureAccess Server

  1. Navigate to the EC2 dashboard.
  2. In the navigation pane choose Instances and choose the SecureAccess server and note the Public DNS address.
  3. Choose Connect button on the top. On the Connect to your instance dialog choose Get Password. Click Choose File and browse to the key that was downloaded in step 14 of section Provisioning Celestix SecureAccess. Choose Decrypt Password and note the password.
  4. Connect to the SecureAccess web UI at https://<public DNS>. Note: A certificate warning will be displayed because the site uses self-signed certificate. Accept the certificate to access the web UI.
  5. Log in to the UI with user name as Administrator and password obtained in step 3. The Quick Setup wizard is displayed.

Quick Setup Wizard

  1. In General Settings/Administrator Password, specify the new password. The UI prompts for login because the password changed. Use the new password to login.
  2. In General Settings/ Date and Time set the Date, Time and Time Zone.
  3. In General Settings/Network Interfaces, select the interface and choose Use the following IP settings. For IP Address set the IP address configured in step 8 of section Provisiong SecureAccess Server. Configure the subnet mask, gateway and DNS addresses accordingly.
  4. In General Settings/Hostname and Domain, change the Hostname and join the system to the domain.
  5. Note: The system will be rebooted. Domain administrator credentials will be required to access the web UI after the reboot.
  6. After reboot, the web UI refreshes and Alerts Email step is displayed. Configure the Alert Email settings. This step is optional and can be configured later in the Maintenance section.
  7. The wizard is complete when the congratulations screen displays. Choosing Close displays the main dashboard. This completes the initial step.
  8. Now it’s time to install features. The following features are available.
  9. Remote Access with VPN – configuration for SecureAccess VPN.
  10. Network Policy Server – basic RADIUS authentication or RADIUS proxy; Can also serve as a NAP policy server.
  11. In the main dashboard, navigate to SecureAccess | Features.
  12. Click the toggle button to On for the Remote Access with VPN feature.
  13. Click Apply to confirm.
  14. The feature’s status indicator will rotate while the system processes the request. A confirmation will display when the process is complete.
  15. Configuration must be customized for an environment. There are two options:
  16. Click the Wizard button to open the SecureAccess VPN configuration tool
  17. Click Remote Access with VPN link to open the Remote Access console as an RDP application.

SecureAccess setup wizard

The wizard provides the steps to configure SecureAccess VPN settings. It covers the minimum functionality; however, an individual organization may need different or additional configuration.

Deployment assumptions

  • Amazon VPC is created and network planning is complete
  • SecureAccess server instance is provisioned into the public subnet created in the VPC
  • The Remote Access with VPN feature is installed through the web UI
  • Deployment is a single server
  • Network Location Server to help the SecureAccess clients decide whether they are inside or outside the corporate network. This will be a server inside the corporate network and should not be accessible from Internet. If a separate resource cannot be allocated for this functionality, the default IIS site on port 80 i.e. http://<fqdn_of_secureaccess_server_name>. Security group of the instance should be configured to allow access to the port 80 from the internal network or the range of IPs configured for SecureAccess VPN clients.
  • Necessary certificates have been acquired for VPN and NLS (optional)
  • AD will be used for SecureAccess VPN authentication and authorization
  • DNS needs to resolve to either the public host name of the SecureAccess server or the NAT device for the SecureAccess server.
  1. Access the setup wizard through the web UI at SecureAccess | Features | Remote Access with VPN | Wizard.
  2. In the Component Selection screen choose Configure VPN service. This option is selected by default. Choose Next.

Note: During the quick setup wizard if the server is not joined to the domain, the error message “SecureAccess deployment cannot continue because the server does not belong to the domain.” displays.

  1. In VPN/Basic screen specify the topology that matches your requirement. For Public address, enter the FQDN of the connection that clients will use to connect. Choose Next.
  2. In the VPN/Advanced screen specify the network interfaces corresponding to the internal and/or external networks.

Note: In step 3 if you select the topology as Edge or Behind an Edge (with two network adapters), then this view displays two network interfaces – Internal and External. If you select Edge (with one network adapter) then this view displays only Internal.

  1. Provide your SSL certificate for SSTP. The certificate subject name should match the Public address configured in step 3. If the names do not match then the error message “VPN certificate must match public connection address.” displays.
  2. In the VPN/Address Assignment screen, select the address assignment method. Choose Assign addresses from a static address pool. This pool should belong to the network IP that configured in step 8 of section Configuring Routing Table for SecureAccess.

Note: Depending on the VPC scenario that you have created before provisioning SecureAccess server, if you have a DHCP server available in the private network of the VPC or plan to use the DHCP server in the corporate network choose Assign addresses automatically.

  1. In the VPN/Authentication screen, select the authentication method. Choose Next.
  2. The wizard configuration is complete when the Finish screen displays. Verify the configuration. If you need any modifications you can go back and do the necessary changes. Choose Next to save the configuration.
  3. The configuration is successfully saved when the Congratulations screen displays.
  4. Click on the logo on the top left of the web UI to display the main dashboard. Choose SecureAccess | Remote Access Dashboard and select the SecureAccess tab.
  5. Download the SecureAccess client installers using the links provided in the Download Client section and distribute it to the users.